Block non-HTTP connections to external IPs #466
Conversation
vivian-rook
force-pushed
the
T381373
branch
3 times, most recently
from
1bd9307 to
7e0803d
Compare
|
Hey! As discussed on irc you should probably also allow UDP port 52 (dns) and 123 (ntp) as well. Other than that it doesn't seem unreasonable to lock things down to TCP 80/443, but it can be wider than that if we know what's needed. |
dhinus
requested review from
chicocvenancio,
bd808,
supertassu and
vivian-rook
|
Looks like it isn't taking... |
|
I think it wants an ipBlock (I was hoping it was optional). Pushing a fix shortly. |
|
I think we can drop the 'to' clause and it seems pretty happy. Can't curl an ftp server at any rate |
|
That change seems to allow access everywhere. Let me try something. |
|
@vivian-rook try the latest version I just pushed |
|
Oh the one I pushed last appears to be working, I'm going to push it again |
I'm not sure what kind of network connections PAWS users need from their notebooks, but I assume most will be HTTP/S connections to external websites or APIs, or Git repositories served over HTTP/S. Connections to UDP ports 53 (DNS) and 123 (NTP) are also legitimate. Blocking other types of ports and protocols should prevent several forms of malicious traffic that could originate from PAWS. Bug: T381373
|
Ok, I think we're good here. ssh and ftp aren't connecting externally, ssh is connecting internally, OpenRefine and Rstudio seem to work, pwb can do some things. I think we're good. We'll see if any less obvious stuff comes up. Thank yinz! |
I'm not sure what kind of network connections PAWS users need from their
notebooks, but I assume most will be HTTP/S connections to external
websites or APIs, or Git repositories served over HTTP/S.
Connections to UDP ports 53 (DNS) and 123 (NTP) are also legitimate.
Blocking other types of ports and protocols should prevent several forms
of malicious traffic that could originate from PAWS.
Bug: T381373